xenorat | 27bea02ba16a40be47d94547a9cad6dbc6b40111bbf7616c175cf81c83260a5e

General

Target

GlucoseBootstrapper.exe
Size

310KB
MD5

42b5a7ab130d52ef5d1cdb8f1a62e70c
SHA1

43b4275d2442fc2e352dc1890b0dfa031f6aec88
SHA256

27bea02ba16a40be47d94547a9cad6dbc6b40111bbf7616c175cf81c83260a5e
SHA512

1eee045c0d92e8e235694620ea53f379a6a87514b84a0783ff92c85187a51b6a03e7d839910a564e1f7f58d861be87597e3cef056e103877ff6067648dbf7979
SSDEEP

6144:rW991UbxJWt5c2xE7orTkcikKfnvVREg8SSovnF6zeZm4wgXtMhSWJTz3A2Gatec:rOzw45W26CC

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
temp
port
4444
startup_name
antibyfron

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 1 IoCs

pid	Process
1968	GlucoseBootstrapper.exe

Loads dropped DLL 1 IoCs

pid	Process
1656	GlucoseBootstrapper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GlucoseBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GlucoseBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2732	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1968	1656	GlucoseBootstrapper.exe	30
PID 1656 wrote to memory of 1968	1656	GlucoseBootstrapper.exe	30
PID 1656 wrote to memory of 1968	1656	GlucoseBootstrapper.exe	30
PID 1656 wrote to memory of 1968	1656	GlucoseBootstrapper.exe	30
PID 1968 wrote to memory of 2732	1968	GlucoseBootstrapper.exe	31
PID 1968 wrote to memory of 2732	1968	GlucoseBootstrapper.exe	31
PID 1968 wrote to memory of 2732	1968	GlucoseBootstrapper.exe	31
PID 1968 wrote to memory of 2732	1968	GlucoseBootstrapper.exe	31

C:\Users\Admin\AppData\Local\Temp\GlucoseBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\GlucoseBootstrapper.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\XenoManager\GlucoseBootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\XenoManager\GlucoseBootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "antibyfron" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBAE6.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBAE6.tmp

Filesize
1KB

MD5
479d65117a5f7fac01ce118201caafb3

SHA1
b2d86fc21c0a76e9affa72fb3a5c2ae415219dc3

SHA256
00a4d1e077010c21caad86d8abb241f758cb1fe6b5d3ca28fd951f982825b1e3

SHA512
e07eca7b339b617e1156d13c24c087f4f519dd3a24d60717c2e2decba13243ec2b428280725072cef92045534f67abc9e26daac8dba6114a96703c7dd9ba990f

Download Submit
\Users\Admin\AppData\Local\Temp\XenoManager\GlucoseBootstrapper.exe

Filesize
310KB

MD5
42b5a7ab130d52ef5d1cdb8f1a62e70c

SHA1
43b4275d2442fc2e352dc1890b0dfa031f6aec88

SHA256
27bea02ba16a40be47d94547a9cad6dbc6b40111bbf7616c175cf81c83260a5e

SHA512
1eee045c0d92e8e235694620ea53f379a6a87514b84a0783ff92c85187a51b6a03e7d839910a564e1f7f58d861be87597e3cef056e103877ff6067648dbf7979

Download Submit
memory/1656-0-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/1656-1-0x0000000000D20000-0x0000000000D74000-memory.dmp

Filesize
336KB

Download
memory/1968-9-0x0000000000FA0000-0x0000000000FF4000-memory.dmp

Filesize
336KB

Download
memory/1968-10-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1968-13-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1968-14-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1968-15-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads